Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.
AnalysisAI
Authentication bypass in Fortinet FortiSOAR allows unauthenticated remote attackers to circumvent two-factor authentication (2FA) protections via replay attacks against intercepted authentication tokens. Affects both PaaS and on-premise deployments of FortiSOAR versions 7.5.0-7.5.2 and 7.6.0-7.6.3. Successful exploitation requires network positioning to intercept and decrypt authentication traffic, then replay captured 2FA requests before token expiration (CVSS:3.1/AV:N/AC:H/PR:N/UI:R). EPSS data not available; no public exploit code or CISA KEV listing identified at time of analysis, though the precise attack requirements (traffic interception, decryption, timing) increase complexity beyond simple network access.
Technical ContextAI
FortiSOAR (Security Orchestration, Automation and Response) is Fortinet's SOAR platform for security operations workflow management. This vulnerability stems from CWE-287 (Improper Authentication), specifically a failure to adequately protect two-factor authentication tokens from replay attacks. The authentication mechanism does not implement sufficient anti-replay controls such as nonce validation, strict token binding, or challenge-response freshness checks. When 2FA tokens are transmitted during authentication, an attacker positioned to intercept the encrypted channel (requiring TLS compromise or man-in-the-middle capabilities) can capture and later replay these tokens within their validity window. Both PaaS (cloud-hosted) and on-premise deployment models share the vulnerable authentication implementation across FortiSOAR 7.5.x and 7.6.x release branches, as indicated by dual CPE entries for fortinet:fortisoar_paas and fortinet:fortisoar_on-premise.
RemediationAI
Apply vendor-released security updates per Fortinet advisory FG-IR-26-101 available at https://fortiguard.fortinet.com/psirt/FG-IR-26-101. Organizations should upgrade affected FortiSOAR PaaS and on-premise installations to patched versions beyond 7.5.2 and 7.6.3 as specified in the advisory. Until patching is complete, implement compensating controls including network segmentation to restrict authentication endpoint exposure, certificate pinning to prevent TLS interception, monitoring for anomalous authentication patterns (multiple rapid login attempts from different network locations), and enforcing shorter 2FA token validity windows if configuration permits. Review authentication logs for replay attempt indicators such as duplicate token usage or sessions established from unexpected geographic locations immediately following legitimate user logins.
Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9
OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauth
A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized
Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execut
Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attac
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in
Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22329
GHSA-6p3p-h3vc-6rh5